Recently, NIST made a significant announcement, releasing the first set of post-quantum encryption standards, born out of an 8-year effort to develop cryptographic algorithms that can withstand attacks from both quantum and classical computers, and can interoperate with existing communications protocols and networks.
Although NIST has been encouraging organizations to plan and prepare for the quantum-safe migration in advance of this moment, many CISOs have been on the fence, waiting for an official announcement of PQC standards. Now that the standards are released, it’s time for all organizations to step on the gas and drive the preparation to post-quantum cryptography migration at full throttle.
The new post-quantum encryption standards are based on three encryption algorithms engineered to withstand cyberattacks from a quantum computer:
- FIPS 203 (derived from CRYSTALS-Kyber) — a key encapsulation mechanism chosen for general encryption
- FIPS 204 (derived from CRYSTALS-Dilithium) — a lattice-based algorithm chosen for digital signatures
- FIPS 205 (derived from SPHINCS+) — a stateless hash-based algorithm also chosen for digital signatures
If You’re Still Unsure, Here’s Why You Must Get Started Now on Your Post-Quantum Readiness Journey!
The arrival of Q-Day—the moment when a Cryptographically Relevant Quantum Computer (CRQC) can break today’s encryption—may still be a decade away, but the danger of “harvest now, decrypt later” (HNDL) schemes is immediate and real. Any data not protected today with PQC is considered at significant risk of being compromised in “harvest now, decrypt later” (HNDL) schemes, where threat actors steal and store sensitive information today to decrypt it once powerful quantum computers become available.
As Post-quantum cryptography (PQC) standards are built on the complex mathematics of lattices, elliptic curves, polynomials, and hash functions, they are extraordinarily difficult to break, even for the most advanced quantum computers. This is why transitioning to PQC standards is so important—it’s the best defense against the power of quantum computing—and the sooner you can do it, less will be the risk of HNDL compromises.
Set up your own quantum-safe PKI hierarchy and begin your PQC journey today.
With the release of the first set of post-quantum encryption standards, standards-defining bodies like the IETF are working on updating security protocols, cryptographic libraries, and certificates to standardize PQC implementation. Alongside, technology vendors are working on updating hardware and software products to support interoperability in PQC transition. While these updates are underway, organizations must begin preparing their infrastructures now for PQC adoption so they can move into production faster when it’s time.
It is also important to understand that cryptographic transitions are typically long and complex, spanning over decades. For example, the SHA-1 hashing algorithm was deprecated in 2011, yet many organizations continue to use it even today, a decade later. So, it is fair to assume that the migration to PQC will take even longer than previous cryptographic transitions. Also, unlike earlier transitions, the shift to PQC is far more complex. It requires a fundamental re-engineering of many data security parameters and an overhaul of existing infrastructure to support an entirely new generation of algorithms. This means that organizations must undertake extensive work now to ensure their systems are compatible with PQC.
What’s the First Step to Begin Your Post-Quantum Cryptography Preparation?
Visibility is the first and the critical step in preparing for the transition to post-quantum cryptography. Gaining complete visibility of where and how cryptography is being used within the organization is the foundation of a PQC readiness roadmap and a successful migration.
Visibility starts with thorough cryptographic discovery. Cryptography is typically spread across the infrastructure, including managed endpoints (servers, mobile devices, and IoT devices), workloads, operating systems, applications, and services across cloud, edge, and containerized environments. Discovering all these systems and building a Cryptography Bill of Materials (CBOM) and a comprehensive inventory of all the public and private certificates and their metadata across all the systems, helps gain full visibility into the cryptographic landscape. This visibility is essential to progress to the next set of crucial steps that entail:
- Assessing cryptographic systems and the data they protect to prioritize high-value sensitive assets for the transition
- Evaluating the new standards and scoping their impact on existing cryptographic systems
- Identifying systems that need upgrades or replacement and understanding their supply-chain dependencies
- Engaging with third-party vendors to ensure they integrate the new PQC standards into their products/platforms to enable interoperability
- Establishing policies around algorithm replacement
Why is Certificate Discovery and Visibility a Challenge for Many?
In many enterprises, managing digital certificates remains a highly manual process, often relying on outdated tools like spreadsheets, ad-hoc processes, and home-grown dashboards. There is no proper system for certificate discovery. So, crucial certificate information, such as the certificate location, owner, issuing CA, and crypto standards, is either vaguely recorded or entirely absent. This lack of documentation makes it difficult for organizations to identify and eliminate rogue and non-compliant certificates.
Some organizations use fragmented tools such as using certificate management capabilities provided by a specific certificate authority (CA). These tools have limited scope and do not provide a single source of truth (inventory) for all certificates. Fragmented visibility and the lack of a single CA-agnostic certificate lifecycle management (CLM) platform makes it more challenging to monitor and manage all certificates for expiration and vulnerabilities, increasing the risk of unexpected outages, security breaches, and compliance issues.
AppViewX can help you implement crypto-agility and start preparing today for Post-Quantum Cryptography
Automation is Key for Discovery, Visibility and Agility of Cryptographic Assets
Automation plays a crucial role in simplifying and enhancing certificate discovery and visibility, addressing many challenges that organizations face with manual certificate lifecycle management.
Automated CLM tools enhance discovery of digital certificates across an organization’s entire hybrid multi-cloud infrastructure, ensuring that all certificates are identified and accurately documented. Through various scanning methods that you can run on demand or at scheduled intervals, you can discover all your public and private trust certificates, leaving no room for unknown, rogue, and non-compliant certificates.
In terms of visibility, automation transforms how organizations monitor and manage their certificates. Post discovery, automated CLM tools create a centralized inventory of all certificates along with all the necessary metadata, giving you complete visibility of your cryptographic landscape. They also help keep the inventory up-to-date for identifying new certificates, providing real-time insights into aspects such as expiration dates, ownership, compliance, and overall crypto health.
The centralized and holistic visibility and actionable insights allows organizations to continuously monitor certificates to remediate issues that may lead to security vulnerabilities or service disruptions. This is especially helpful in eliminating blind spots and ensuring no cryptographic system falls through the cracks during the post-quantum cryptography transition.
Automation is also a critical enabler of crypto-agility – the ability to rapidly respond to cryptographic threats and changes by switching between crypto standards. In the context of PQC, automation plays a vital role by helping organizations not only take stock of the existing cryptographic inventory, but also enabling crypto-agility, the ability to seamlessly switch between algorithms. This primes organizations for the future, so that when it’s time, they’ll be capable of transitioning to post-quantum cryptography quickly and at scale, reducing the window of data exposure and compromises.
Begin Your Crypto-Agility and Post-Quantum Readiness Journey Today with AppViewX
To support organizations throughout their PQC journey and ensure successful PQC implementation in the future, AppViewX offers:
- AppViewX PQC Test Center: A dedicated free online resource built to help you assess your organization’s PQC readiness by generating and testing quantum-safe private trust certificates prior to their integration into existing systems, workloads, and machines. You can quickly set up your own quantum-safe PKI hierarchy and generate PQC-ready certificates and keys to test their compatibility in your environment. Visit the AppViewX PQC Test Center and begin your PQC journey today.
- PQC Certificate Lifecycle Management: The AVX ONE platform offers a comprehensive certificate lifecycle management solution to help enable PQC readiness and crypto agility with complete certificate discovery and inventory, full certificate lifecycle automation, and total certificate control across the enterprise.
You can also watch our latest webinar on-demand—Top 3 Reasons You Need Crypto-Agility Today—to learn how to build crypto-agility and accelerate your Post-Quantum Cryptography readiness journey.
Or download our whitepaper – Crypto-Agility and Preparing for Post-Quantum Cryptography.